ISO 9001:2015
Risk-based Thinking Video

Risk-based Thinking

ISO 9001:2015 Risk-based Thinking
Warren discusses Risk-based Thinking required by ISO 9001:2015 QMS Requirements including new risk terminology in ISO 9000:2015 QMS Fundamentals and Vocabulary.

Posted: 2016-03-03
Format: Mp4
Duration: 13:02
Tags: Risk, Risk-based Thinking, ISO 9001:2015, ISO 9000:2015, risk mitigation, risk review, ISO QMS Fundamentals and Vocabulary

ISO 9001:2015 Risk-based Thinking

ISO 9001 was revised in September of 2015. Included in the Quality Management System (QMS) requirements is an element called Risk-based Thinking. Risk-based thinking is required for certification under ISO 9001:2015. Risk-based thinking and improvement have replaced the preventive action section of the ISO 9001:2008 standard. Organizations must plan and implement actions to address risks and opportunities and those actions must be proportionate to the potential impact of the risk or opportunity.

Risk is defined as "the positive or negative effect of uncertainty". In the ISO 9001:2015 standard, organizations are required to consider both negative and positive risks and the treatment of both. The organization will surely want to reduce its exposure to a negative risk or exploit the positive risk. While many organizations produce massive amounts of information and data, that information and data must be meaningful for the organization to take appropriate actions. Information and data influences uncertainty and the lack of 'meaningful information' poses a significant risk for any organization.

We begin our discussion of risk-based thinking with one of the Quality Management principles covered in the introduction video; the Process Approach. The process approach is defined as the "process and system-level view of linkages, interfaces, and process interactions". It applies the PDCA cycle with an overall focus on risk-based thinking. PDCA (Plan, Do, Check, Act) is applied to all processes and the Quality Management System as a whole. Using the Plan, Do, Check, and Act cycle, we are able to consider opportunities, as well as risks, since the PDCA cycle is iterative. The risks and opportunities will change dynamically based upon influences to the organization.

QMS process objectives should have planned outcomes and should consistently deliver those outcomes. The "do step" in PDCA is where the work is accomplished. At this step, the organization will implement and perform the processes while monitoring the output / outcome. During the "check step", we monitor, gather, verify, validate, and report the information and data that has been collected by the organization. After these measures and metrics have been captured, the organization will analyze the information and decide if additional actions or changes to the "plan step" is needed. If so, actions are decided and action plans performed in the "act step". The PDCA cycle may happen numerous times a day, week or several times per year to support the process approach.

Risk-based thinking is defined as the "planned and implemented actions to address risks and opportunities pertaining to undesired outputs". There are negative risks, referred to as threats and there are also positive risks, known as opportunities. Opportunities should be exploited while the remaining 'risk' is mitigated to an acceptable level depending upon the risk tolerance of the organization. Risk treatment is the "proactive management of risk using countermeasures and controls". Risk is often expressed as a combination of likelihood and consequence (impact). Likelihood is the probability of an event occurring or recurring while consequence is the possible impact of an event characterized as effect or influence. An effective risk management strategy involves proactive and iterative risk identification, risk ranking, risk treatment, and risk monitoring. The risk rating places the identified risks and opportunities in order based on frequency, likelihood, severity, impact / benefit on objectives. Monetary consequences, loss of customers, legal exposure, impact on interested parties, and other ranking criteria develop the organizational risk posture. Risk terms and methodologies are discussed further on my Risk Management Strategy page.

Risk identification in the ISO 9001:2015 standard begins in clause 4. Identifying internal and external "issues", understanding the organizational context, purpose, and strategic direction is the 'starting point'. The organization must proactively monitor and review information about these external and internal issues. The vision statement, mission statement, policies, strategic objectives, legal exposure, technological challenges, and competition provide insight along with organizational culture, geographical orientation, organizational knowledge, performance, and historical information. ISO 9001:2015 requires actions to address the identified risks and opportunities. The quality management system objectives, processes, and controls, resources, improvement needs, customer requirements, organizational changes, product and/or service requirements, external providers, the specific business environment including internal and external effects and influences are of concern during this process.

Remember, ISO 9001:2015 tells us what to do but it does not tell us how to do it. I hope this information has been helpful in understanding the risk-based thinking requirements of ISO 9001:2015.

Warren Alford
Cybersecurity and Quality Management

ISO 9001:2015 Risk-based Thinking Video by Warren Alford

Email Warren

Valid RSS for Warren
Certificate for Warren


©2017 Warren Alford